03-10-2012 09:40 PM - edited 03-11-2019 03:40 PM
Hi friends,
I am saravanan from Utah. One of our customers has asked us to nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server thorugh a vendor mangaed voice router..
Internet for everything else
|
|
Inside ------------------------> ASA 5510 -----------------> Voice router ------> outsdie to public phone server only
10.10.1.0/20 10.10.1.7/320 172.16.20.1/24
Voice------------------------->
172.16.20.0/24 172.16.20.254/24
Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using nonat acls. The phone server can only talk to the 172.16.20.0/24 network. So I need to nat the 10.10.1.0/20 network to the Voice interface on the ASA 172.16.20.254/24.
So I think I need the follwoing static but I get the error below:
static (Inside,Voice) interface 10.10.0.0 netmask 255.255.240.0
WARNING: All traffic destined to the IP address of the Voice interface is being redirected.
WARNING: Users will not be able to access any service enabled on the Voice interface.
ERROR: Invalid netmask with interface option
Sanitized ASA Config
ASA Version 8.2(5)
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.10.1.7 255.255.252.0
!
interface Ethernet0/1.2
vlan 2
nameif Voice
security-level 100
ip address 172.16.20.254 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.10.0.0 255.255.240.0 172.16.20.0 255.255.255.0
access-list nonat extended permit ip 172.16.20.0 255.255.255.0 10.10.0.0 255.255.240.0
access-list Voice_in extended permit ip any any
access-list Voice_in extended permit icmp any any
access-list Voice_in extended permit gre any any
access-list Voice_in extended permit tcp any any
access-list Voice_in extended permit udp any any
access-list Inside_in extended permit ip any any
access-list Inside_in extended permit icmp any any
access-list Inside_in extended permit gre any any
access-list Inside_in extended permit tcp any any
access-list Inside_in extended permit udp any any
global (Outside) 10 interface
nat (Inside) 0 access-list nonat
nat (Inside) 10 10.10.0.0 255.255.240.0
nat (Voice) 0 access-list nonat
access-group Inside_in in interface Inside
access-group Voice_in in interface Voice
static(inside,Voice)10.10.0.0 255.255.240.0 172.16.20.0 255.255.255.0
route Inside XX.XX.XX.XX XXX.XXX.XXX.XXX 172.16.20.1 1
Any help would be appreaciated!
Thanks
03-10-2012 10:19 PM
Static(inside,inside) 10.10.0.0 255.255.255.240 10.10.0.0 255.255.240.0
Static(voice,voice) 172.16.20.0 255.255.255.0 172.16.20.0 255.255.255.0
Sent from Cisco Technical Support iPad App
03-11-2012 05:21 PM
Zill,
Thanks for the quick reply. The only commands that the ASA will take similar to what you put are:
static (Inside,Inside) 10.10.0.0 10.10.0.0 netmask 255.255.240.0
static (Voice,Voice) 172.16.20.0 172.16.20.0 netmask 255.255.240.0
And after entering these it still doesn't work.
Also, since I have the no nat in there for these same networks, wouldn't the ASA get confused when I add those two statics?
03-11-2012 05:47 PM
No the statements that I send to you is for the traffic that is initiating from voice zone to voice zone and from inside zone to inside zone...
One thing you need to make sure....If your requirement is to NAT the traffic from inside to voice then you should not use nonat statments,because if NAT-Control is enabled then you have to NAT every traffic whether your source is from inside to inside or from voice to voice or from inside to voice or from voice to inside.
You are using nonat from inside to voice and from voice to inside and at the same time you are using static 1 to 1 mapping for both networks.As per rules,acl will be checked first and traffic will never be natted and static mappings will never come into play.
So you should remove your nonat statments.
Add the static statments that I mentioned you earlier ,remove the nonat statments and let me know .
Thanks
Sent from Cisco Technical Support iPad App
03-11-2012 05:48 PM
And use the correct subnet mask....I have written a different subnet mask in my first post and you ate using a different one....Just make sure....
Thanks
Sent from Cisco Technical Support iPad App
03-19-2012 09:44 AM
NAT-Control is not enabled
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: